Enterprise Insights

Latest Ponemon Security Report Examines Enterprise Data Breaches

Security administrators know that they have more to fear from negligent employees than they do from external hacks. Ponemon’s study, 2011 Cost of Data Breach Study: United States, is the seventh in the firm’s history and it comes to the same conclusion. It reports that “negligent insiders and malicious attacks are the main causes of data breach,” and 39 percent of organizations “say negligence was the root cause of the data breaches.”

What’s new (at least to me): “malicious attacks are 25 percent more costly than other types” of attacks.

If you want to cut the cost of a data breach, hire a chief information security officer (CISO) with responsibility for data protection. Doing so, Ponemon says, can cut the cost of a data breach “by 35 percent per compromised record.” The cost of such a breach in 2011 was $5.5 million dollars or $194 per record (based on information from 49 breaches at companies in the United States across 14 industries), which is down from $7.2 million ($214 per record) in 2010. Given that figure, the cost of that CISO could easily be justified by the savings alone.

Not ready to add to your payroll? “Outside consultants assisting with the breach response also can save as much as $41 per record.”

Experience with data breaches is also valuable. “Organizations that had their first ever data breach spent on average $37 more per record.” It also pays to take your time and get the facts straight after a breach. Enterprises “that responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record.”

Despite the serious impact to an enterprise’s reputation after a breach is made public, customers stay loyal. “For the first time, fewer customers are abandoning companies that have a data breach. However, certain industries are more susceptible to customer churn, which causes their data breach costs to be higher than the average.”

The study factored in both direct business costs (hiring forensic experts, free credit monitoring services for customers) and indirect costs (such as in-house investigations), as well as more complex factors such as loss of customers and customer turnover. It excludes “big” breaches (those over 100,000 records) because they are less common.